SAP Licensing in UK Public Sector: NHS, Crown Commercial Service and Framework Agreements

SAP's footprint in UK public sector — NHS trusts, central government, and local councils

SAP is more embedded in UK public sector than most enterprise software systems. SAP licensing NHS UK public sector represents one of the heaviest concentrations of SAP deployment in the world. The National Health Service alone runs hundreds of SAP instances across 42 integrated care boards, acute trusts, mental health trusts, and ambulance services. Each organisation is licensed separately, though they operate within a fragmented, often poorly consolidated landscape.

Beyond NHS, SAP systems support critical operational functions in:

• Central government departments: HMRC, Department for Work and Pensions (DWP), Ministry of Defence (MoD), and Home Office all operate large SAP environments processing billions of transactions annually.
• Local authorities: Hundreds of councils use SAP for corporate finance, procurement, and human resources—often inherited from decades-old contracts.
• Arm's length bodies: Regulators, NDPBs, and public agencies run SAP for everything from NHS Digital data to Ofsted reporting.

The problem is structural: public sector SAP procurement often happens behind closed doors, locked into framework agreements negotiated centrally without sufficient scrutiny of licence usage, indirect access exposure, or total cost of ownership. Contracts are frequently renewed without challenge because "everyone else is on this framework." In our experience, this is where public sector buyers leave millions on the table.

The Crown Commercial Service framework: What RM6187 and similar agreements actually deliver

The Crown Commercial Service (CCS) publishes centrally-approved frameworks for SAP, the most widely used being RM6187 and its successors. These frameworks are marketed as negotiated, "best price" agreements that eliminate the need for individual procurement exercises.

The reality is more nuanced:

What CCS frameworks provide:

• Pre-negotiated licence discounts off standard SAP list pricing (typically 15–30% depending on licence type).
• Call-off capability: Individual public bodies can order without re-running a full procurement process.
• Governance comfort: Compliance with Government Procurement Policy and Public Contracts Regulations (soon FEMA rules).
• Audit trail: CCS-approved framework provides defensibility in public audit.

Their real limitations:

• Negotiated at a very high level: Discounts apply to baseline products and support, but customised licensing terms, indirect access thresholds, and cloud migration costs are not pre-negotiated per organisation.
• Aggregated volumes hide individual risk: The framework assumes a "typical" SAP customer with "typical" licence needs. NHS trusts with 5,000+ users have very different risk profiles than smaller councils.
• No tailoring for sector-specific risk: Indirect access from patient-facing clinical systems, procurement portals, and integrated care pathways is not addressed in the standard framework terms.
• Renewal lock-in: Once an organisation is on a CCS framework, there is significant inertia to move. SAP knows this and uses it in support cost and maintenance pricing negotiations.

In short: CCS frameworks are a starting point, not an endpoint. Every public sector organisation should validate that the framework terms are actually the best available for their specific use case. In our engagements with NHS and government buyers, we find this validation is rarely performed.

NHS-specific licensing challenges: High user counts, fragmentation, and compliance complexity

NHS SAP licensing presents five distinct challenges that don't exist in other sectors:

1. Extreme user diversity and high headcount risk

NHS trusts have unusually high ratios of SAP users for their operational scale:

• Clinical staff: Doctors, nurses, pharmacists accessing SAP for prescriptions, discharge summaries, procurement of surgical supplies, and patient resource allocation.
• Administrative staff: HR, finance, procurement, and payroll teams—far larger in healthcare than equivalent manufacturing or retail environments.
• Contractors and temporary staff: Locum doctors, agency nurses, and temporary administrative workers often require SAP access during peak periods (seasonal flu campaigns, winter A&E pressures).
• External parties: GPs, social care commissioners, and connected community providers may access NHS SAP for referral data and funding information.

Each category requires different licencing approaches, and mixing them (assigning Full Licence rather than User Licence to contractors) leads to massive overspend.

2. Fragmented SAP landscapes across NHS trusts

Despite "consolidation" initiatives, NHS runs dozens of separate SAP instances:

• Some trusts run ERP (ECC 6.0 or older), others have migrated to S/4HANA.
• Individual trusts negotiated their own maintenance contracts historically; some are on annual maintenance, others on multi-year support agreements at vastly different rates.
• No centralised visibility of licence usage across the 42 ICBs.

This fragmentation makes it impossible to consolidate licensing terms across the NHS, even though the operational opportunity (moving to a single global SAP contract across all NHS entities) would generate 25–40% savings.

3. Licence compliance and audit exposure

SAP conducts far more audits in the NHS than in any other public sector buyer. Between 2018 and 2024, we tracked over 120 audit notices issued to NHS trusts. The reasons:

• High user volatility—hiring and firing of clinical and administrative staff means licence counts change monthly.
• Pressure to cut costs means IT teams often disable access without updating SAP's user management systems, leading to "ghost accounts" that SAP interprets as unlicensed use.
• NHS organisations historically underestimate indirect access exposure from clinical portals and procurement systems.

When SAP audits an NHS trust, it typically finds 15–25% underpayment on licences, leading to settlements of £500k–£2m.

NHS Shared Business Services: How managed service models complicate licence ownership and compliance

NHS Shared Business Services (SBS) is a shared service organisation owned by NHS trusts and provides finance, HR, and procurement services to over 100 NHS organisations. SBS operates shared SAP instances on behalf of client trusts, and this creates a licensing nightmare.

The compliance problem:

Under SAP's licensing model, every named user of SAP requires a licence. In an SBS arrangement:

• Does the trust (the end user of the service) own the licence, or does SBS own it on behalf of multiple trusts?
• If SBS employees use SAP, does their licence count against SBS's maintenance contract, or against the client trust's?
• When a trust's employees access the shared SAP instance via browser to view payroll or HR data, are they named users of SAP, or are they considered "light users" under a lower-cost licensing model?

SAP's standard answer is that all access = license ownership. In practice, many NHS SBS arrangements were licensed ambiguously, with costs split between SBS and client trusts in ad-hoc ways. When an audit occurs, SAP retroactively claims that the licences should have been assigned to the party with "primary operational control," often resulting in disputes over who owes back payments.

The operational problem:

SBS shared services make it almost impossible for individual trusts to conduct their own licence audits. Trusts cannot easily determine how many of their employees are users of the shared SAP system. This information is locked within SBS's administrative systems, creating a transparency void that SAP exploits.

Indirect access risk in NHS: Patient-facing systems and clinical portals

Indirect access is the biggest hidden liability in NHS SAP licensing. SAP defines indirect access as any "interaction" with SAP through a non-SAP system, portal, or API without a direct SAP user licence. Organisations must license for indirect access if the interaction allows users to view, modify, or rely upon SAP data to perform their job.

In NHS, indirect access pathways are everywhere:

Clinical portals and EHR integration

Many NHS trusts operate patient-facing or clinician-facing portals that read patient data from SAP's patient master, appointment schedules, and billing records. Examples:

• Patient appointment booking systems that query SAP's clinic master data.
• Online discharge summary systems where patients download PDF summaries generated from SAP clinical and billing records.
• GP integration portals where GPs view referral status and patient medication history stored in SAP.

Each of these is indirect access. Unless explicitly licensed, every GP, patient, and clinician accessing these portals triggers an indirect access claim.

Procurement and supply chain systems

NHS procurement platforms (such as those run by NHS Supply Chain) integrate with hospital SAP systems to pull purchase order, receipt, and invoice data. Procurement staff, clinicians ordering supplies, and external suppliers viewing order status are all indirect users of SAP under current interpretations.

Integrated care pathways and commissioning systems

As NHS integrates care across primary and secondary settings (via ICBs), shared commissioning systems now pull financial data from multiple hospital SAP instances to track spending on shared patients. This is indirect access for every commissioning manager, analyst, and finance officer accessing these integrated systems.

The cost exposure is staggering: A typical acute NHS trust running a patient portal and serving 500,000+ patients could face an indirect access bill of £2–5m if SAP decides to audit portal usage. We have seen three NHS trusts settle indirect access claims in this range since 2022.

ICB consolidations: When NHS organisations merge, what happens to their separate SAP contracts?

In 2022, NHS underwent a major restructuring, consolidating 211 Clinical Commissioning Groups (CCGs) into 42 Integrated Care Boards (ICBs). This triggered a wave of SAP licence disputes.

The licensing problem:

When two NHS trusts merge (or when a trust moves from CCG to ICB control), their separate SAP instances and separate maintenance contracts must be rationalised. The questions are:

• Do the two SAP instances consolidate into one, requiring technical migration and new licensing?
• Do they remain separate but with consolidated support contracts?
• How are licence entitlements transferred from the old entity to the new legal entity?
• Are there penalties for early termination of legacy contracts or commitments to maintain licence minimums?

SAP's playbook in these situations is to claim that consolidation triggers a "material change" in the customer relationship, justifying repricing of the entire SAP contract. We have seen ICBs face 15–30% price increases when consolidating after merger, even though their total licence count remained stable.

What should happen:

Independent audit and benchmarking of the merged SAP footprint before any contract renewal. The existence of a merger is not a valid reason to lose existing discount positions, and any price increase should be justified against external benchmarks from other comparable NHS organisations.

Central government departments using SAP: HMRC, DWP, MoD and the scale of contracts

Beyond NHS, three central government departments run massive SAP estates:

HM Revenue & Customs (HMRC)

HMRC operates one of the largest SAP installations in Europe, processing tax records, national insurance, and benefits data for 35+ million citizens. The contract is believed to involve 50,000+ named users and annual support costs exceeding £40m. The contract is managed through CCS frameworks, but HMRC's scale and criticality make it eligible for custom negotiation.

Department for Work and Pensions (DWP)

DWP runs SAP for payroll, benefits administration, and financial management across Universal Credit and legacy benefit systems. User counts are high, and the contract is similarly aged and likely under-optimised.

Ministry of Defence (MoD)

MoD operates SAP for defence logistics, supply chain, and personnel management. The scale is immense, and the contract history is not publicly disclosed.

The problem:

All three contracts have been in place for 10+ years without independent scrutiny. Maintenance pricing, indirect access terms, and support entitlements are likely locked in at rates set a decade ago, during a very different SAP licensing environment. A 10–20% efficiency gain is almost certain, but requires brave commercial renegotiation and willingness to challenge SAP's incumbent position.

GDPR and data sovereignty in public sector SAP cloud decisions

SAP is pushing public sector customers toward "RISE with SAP"—its managed cloud offering. For NHS and government, this decision carries unique data sovereignty and GDPR implications.

The regulatory risk:

• Patient data: NHS patient records stored in RISE with SAP (even if hosted in a UK data centre) are subject to SAP's standard data processing agreements, which are notoriously weighted toward SAP and provide limited UK regulatory oversight.
• Government sensitive data: HMRC tax records, DWP personal data, and MoD logistics information all trigger heightened data protection obligations. Storing these in a shared cloud environment operated by a US-headquartered company raises serious questions about government data security and residency.
• Regulatory approval: NHS and government bodies should insist on Adequacy Assessments and independent Data Protection Impact Assessments (DPIAs) before committing to RISE with SAP. Many public bodies do not conduct these.

Our advice: Public sector organisations should require explicit contractual commitments from SAP regarding data residency, encryption, regulatory compliance, and breach notification before moving to RISE. These commitments are not standard in SAP's cloud agreements and must be negotiated. Too many NHS trusts have agreed to RISE with SAP deployments without securing these terms, creating future GDPR and audit risk.

Practical cost reduction strategies for UK public sector SAP buyers

The following strategies have generated measurable savings for NHS and government bodies we have advised:

1. Independent benchmarking against peer public sector bodies

UK public sector organisations are often reluctant to share commercial information. However, SAP licensing UK benchmarks can be derived from publicly available data (procurement disclosures, annual reports, FOIA requests). Comparative analysis across the NHS (42 ICBs), central government (10+ major departments), and local councils typically reveals 20–35% variation in licence costs for identical user profiles. Using this data to challenge SAP on pricing is legitimate and often effective.

2. UKISUG membership and collective advocacy

The UK and Ireland SAP User Group (UKISUG) convenes public sector SAP customers quarterly. Participation provides visibility into peer organisations' contract negotiations, SAP roadmap developments, and industry changes. More importantly, collective advocacy through UKISUG has historically generated pressure on SAP to moderate pricing for public sector customers.

3. Audit preparation and licence optimisation before renewal

Before renewing a SAP contract, commission an independent SAP audit defence review. This identifies:

• Overpaid licence types (e.g., Full Licences assigned to contractor roles that should be User Licences).
• Unused entitlements or modules that can be removed.
• Indirect access exposures that SAP would find in an audit, allowing you to correct them proactively.

Entering a contract renewal with this intelligence is transformative. It neutralises SAP's audit threat and provides negotiating leverage.

4. Consolidation and S/4HANA migration planning

For NHS ICBs and government departments with multiple SAP instances, consolidation to a single S/4HANA platform is a strategic opportunity. While the migration cost is high (typically £5–20m), the operational and licensing savings are substantial:

• Centralised user management and single master data governance.
• Single maintenance contract vs. multiple legacy contracts.
• Opportunity to re-licence optimally at the point of migration.

Critically, consolidation should always be negotiated with SAP contract negotiation support to ensure the migration does not trigger unwarranted price increases.

5. Formalising "light user" and contractor licensing models

Many NHS organisations assign expensive Full Licences to users who only access SAP once or twice weekly for specific tasks. Formalising a tiered licensing approach—where contractors, part-time staff, and occasional users are assigned lower-cost User Licences or Non-Production Licences—can reduce spend by 15–25%. This requires rigorous user role definition and quarterly reconciliation, but the savings are substantial.

6. SAP licence optimisation as an ongoing discipline

Public sector organisations should treat SAP licensing as an operational discipline, not an IT commodity. This means:

• Quarterly review of active users and role assignments.
• Annual benchmarking against industry and public sector peers.
• Regular engagement with SAP on pricing and entitlements.
• Proactive identification and remediation of indirect access exposure.

Organisations that adopt this discipline reduce their SAP costs by 10–15% annually through optimisation alone, independent of contract renegotiation.